CVE 8.7 HIGH

Jervis has a Salt for PBKDF2 derived from password_CVE-2025-68703

January 13, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2.

AI Analysis

Derivation of salt from password in Jervis library prior to version 2.2

Basic Information

ID CVE-2025-68703

Source GitHub_M

Published Jan 13, 2026 at 19:27

Modified Jan 13, 2026 at 19:54

Affected Product

Vendor samrocketman

Product jervis

Version < 2.2

Affected Versions samrocketman jervis < 2.2

CWE Classification

CWE-326

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor samrocketman

Product jervis

Version < 2.2

References

{
    "lastseen": "",
    "description": "Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2.",
    "published": "2026-01-13T19:27:33.177Z",
    "modified": "2026-01-13T19:54:40.542Z",
    "type": "cve",
    "title": "Jervis has a Salt for PBKDF2 derived from password",
    "source": "GitHub_M",
    "references": "https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34\nhttps://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a",
    "id": "CVE-2025-68703",
    "bulletinFamily": "",
    "cwe": [
        "CWE-326"
    ],
    "cvelist": null,
    "sourceData": "samrocketman jervis < 2.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "jervis",
    "version": "< 2.2",
    "vendor": "samrocketman",
    "ai_description": "Derivation of salt from password in Jervis library prior to version 2.2",
    "ai_severity": "High",
    "ai_vendor": "samrocketman",
    "ai_product": "jervis",
    "ai_version": "< 2.2",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply